SKJ 3083: Computer and Information

Security Audit

LECTURE 1
IT Audit Overview

Dr Kamarudin Saadan
©For internal use only
 Main topics
 Introduction
 The impact of IT on organization
 The work of an IT Auditor
 IT Audit skills
 Professional IT Auditor organizations and
certifications
 Structuring IT audit
 Introduction
 IT auditor in demand
– Why?
 The work of an IT Auditor is interesting and
challenging
– Why?
 Impact of IT on Organization
 IT creates opportunities
 Opportunities may bring risks
 IT Governance
 IT Governance
DEFINITION
…the process for controlling an
organization’s IT resources, including
information and communication systems,
and technology.
OBJECTIVES
…using IT to promote an organization’s
objectives and enable business processes
and to manage and control IT related
risks.
 CobiT’s IT Governance
Management Guideline
Identifies critical success factors,
key goal and performance indicators,
and an IT governance maturity
model.
IT governance framework begins
with setting IT objectives and
measures and compares performance
against them
 The IT Governance Framework
PROVIDE
DIRECTION

Set Objectives IT Activities

 IT is aligned with business  Increase automation
 IT enables the business (make the business

COMPARE
and maximizes benefits effective)
 IT resources are used  Decrease cost (make
responsibly enterprise efficient)
 IT-related risks managed  Manage risks (security
appropriately reliability and
compliance)

MEASURE
PERFORMANCE
 IT and Transaction (Tx)
Processing
 The IS collects transaction data
 The IS turns data into information
 Computerized Tx systems increase some
risks and decrease others
 What do IT auditors do?
 Evaluate controls over specific applications
 Provides assurance over specific processes
 Provide third-party assurance
 Do penetrating tests
 Support financial audit
 Works on many kind of audit
engagementssearching for IT-based fraud
 Financial vs IT Audits
 IT auditors may work on financial audit
engagements
 IT auditors may work on every step of the
financial audit engagement
 Standards, such as SAS No. 94, guide the work of
IT auditors on financial audit engagements
 IT audit work on financial audit engagements is
likely to increase as internal control evaluation
becomes more important
 IT Audit Skills
 College education – IS, computer science,
accounting
 Certifications – CPA, CFE, CIA, CISA,
CISSP, and special technical certifications
 Technical IT audit skills – specialized
technologies
 General personal and business skills
 Professional Groups and
Certifications
 ISACA – CISA
 IIA – CIA
 ACFE – CFE
 AICPA – CPA and CITP
 How to Structure an IT Audit
 AICPA Standards and Guidelines – GAAS,
SAS, and SSAE
 IFAC Guidelines – harmonized or common
international accounting standards and
guidelines
 ISACA standards, guidelines, and
procedures – includes CobiT and audit
standards
 An Overview of the Course
 Section I – an introduction to IT audit, the legal
and ethical environment of the IT audit,
introduction to risks and controls
 Section II – risks over specific processes and
technologies – deployment of IS, operation of IS,
network systems, and e-business systems
 Section III – how to do an It audit – use of
CAATTs and a step-by-step IT audit
 IT Audit Glossary
 ACL tutorial